Description
A security flaw has been discovered in Industrial Application Software IAS Canias ERP 8.03. Impacted is the function Runtime.getRuntime.exec of the component RMI Interface. Performing a manipulation of the argument troiaCode results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw in Industrial Application Software IAS Canias ERP 8.03 allows an attacker to pass a malicious troiaCode argument to the RMI interface, causing the server to execute arbitrary OS commands through Runtime.getRuntime.exec. This results in full compromise of the affected system’s confidentiality, integrity, and availability. The CVSS score of 5.3 reflects a moderate severity, indicating that while the vulnerability is exploitable, the impact level is not critical.

Affected Systems

The sole affected product is IAS Canias ERP version 8.03. No other versions are listed, and a patch or fix has not yet been released by the vendor. The vulnerability lies in the component that handles the RMI interface, which is exposed over the network.

Risk and Exploitability

The exploit is publicly released and can be triggered remotely through the RMI endpoint, which may be reachable from the external network. With no EPSS data available, the likelihood of exploitation cannot be quantified, but the absence of a vendor response and publicly available exploit code indicates a real threat. The CVSS score of 5.3 suggests moderate severity; however, the remote nature of the vector elevates the risk of widespread misuse if the RMI interface is not protected.

Generated by OpenCVE AI on May 10, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure firewall or network segmentation to deny external access to the RMI port used by IAS Canias ERP
  • Enable logging and actively monitor for abnormal RMI traffic or repeated exec calls that could indicate a command injection attempt
  • Apply any vendor-issued patch or rollback to a secure configuration once the vendor releases a fix; if none is available, consider replacing the product or isolating the system indefinitely

Generated by OpenCVE AI on May 10, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 02:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Industrial Application Software IAS Canias ERP 8.03. Impacted is the function Runtime.getRuntime.exec of the component RMI Interface. Performing a manipulation of the argument troiaCode results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Industrial Application Software IAS Canias ERP RMI Runtime.getRuntime.exec os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-10T01:15:09.643Z

Reserved: 2026-05-09T07:19:40.377Z

Link: CVE-2026-8217

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T02:16:08.833

Modified: 2026-05-10T02:16:08.833

Link: CVE-2026-8217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T03:30:03Z

Weaknesses